Authentication is the process of verifying the identity of either a user or a device, before authorising access to devices or services.

In each case, the authentication methods available will depend on what service is being accessed and from what type of device. Each authentication method will have its own strengths and weaknesses.

As an organisation, it is important to implement authentication steps that balance both the usability and the security of your devices and services. This guidance will present a range of different use cases and the common authentication methods that are available, highlighting both the security benefits and security risks. This will help you to design and deploy an effective authentication policy for your organisation's devices.

On smartphones, tablets, laptops, and desktops, user authentication is the main method for protecting against unauthorised access to devices and the data stored on them. It also plays an important part in protecting against unauthorised changes to device settings.

Given that most enterprise services will be accessed from devices, it is important that:

• The identity of the user of a device be verified. This will ensure that only those people who are meant to have access are authorised.
• If the service contains data you consider sensitive, the identity and health of a device should also be verified. This allows you to prevent devices that are not compliant with enterprise policy from accessing your services.

Attackers will always look to target weaknesses in authentication systems. Many common attacks look for simple ways to guess or steal user or device credentials.

With these credentials, attackers can impersonate valid users and devices, gaining access to data stored on devices, and connecting remotely enterprise services. They will also use this foothold to penetrate further into corporate networks.

Given these potential consequences, it should be clear that implementing effective authentication is essential for organisations wishing to protect against account, device or network compromise.

First and foremost, you need to consider the risks to the assets that you are trying to protect, the data they hold and the authentication use cases that you face. This information will allow you to formulate an appropriate policy for authenticating both users and devices, before granting access to systems and services.

For each authentication use case, you should consider both the usability and security of the available authentication methods.

Authentication use cases

The main use cases to consider are:

For each of the use cases above, when deciding on appropriate authentication mechanisms, it is important to consider which of the available authentication mechanisms are most appropriate to use, taking into account both security and usability.

User to device

In the case of user to device authentication, common methods of authentication include:

User to service / device to service

In the case of user to service authentication and device to service authentication, common authentication methods include

The security of any authentication mechanism will depend on the specific implementation and combination of factors that are chosen.

In some scenarios, use of a single factor may be appropriate. For example, in the case of user to device authentication, use of a single factor to authenticate to the device may be enough when taking into account mitigations such as brute force protection or hardware protected storage, available on many of today's devices.

For service level authentication though, in cases where a single factor of authentication does not provide an appropriate level of security, multi-factor authentication (MFA) can significantly strengthen security..

Built-in device authentication mechanisms that can be extended to integrate directly with your chosen identity provider to provide both passwordless and multi-factor authentication using public key based credentials bound to the device can often provide the best balance of usability and security. A good example of this is Windows Hello for Business. Use of FIDO2 security keys may offer similar benefits where users have more than one device. However, you will need to investigate support for this on the devices and with your identity provider.

Some enterprise authentication services can also be integrated with Mobile Device Management (MDM) to factor in environmental factors such as network location, device compliance, and device health attestation, before granting access to enterprise services. This type of conditional access can be extremely useful in zero-trust network architectures or bring your own device (BYOD) scenarios.

Single sign on to services

Enterprise single sign on can be used to sign in to online services using the single source of identity managed through your chosen identity provider. This can significantly improve the user experience by reducing the number of times authentication is required and to reducing reliance on passwords. It also makes managing joiners, movers and leavers much simpler and less error prone.

Logging and monitoring

In addition to authentication mechanisms, appropriate logging should also be in place to enable monitoring of authentication and access to devices and services. Attacks on authentication systems are amongst the most prevalent you'll face, so capturing these events into your audit logs is a highly effective way of detecting potential issues.

When designing and implementing enterprise authentication, you should:

• Choose an enterprise identity provider that supports multi-factor authentication for both users and the devices your organisation uses. Configure your online services to use single sign on authentication using your identity provider.
• Choose authentication factors that maximise usability and provide appropriate security based on the considerations above and make sure that devices you use support them when choosing what devices to use in your organisation.
• Provide clear authentication policies and guidance for users.
• Implement pragmatic user to device authentication policies, including the use of biometrics and usable password policies.
• Where possible, reduce reliance on passwords and implement passwordless authentication, such as Windows Hello.
• Where passwords are required for access to services, encourage use of password managers.
• For machine authentication, deploy mechanisms that use hardware-protected public key based credentials that are uniquely bound to the device. Consider, where possible, combining this with other context (e.g. on Windows you can use network location, device compliance and device health attestation). This is discussed more in the zero trust networking guidance.
• Deploy enterprise single sign on for access to services. Combine this with strong user and device authentication, using multi-factor authentication or conditional access.
• Implement appropriate logging and monitoring of authentication successes and failures.

• NCSC platform specific guidance
• Password administration for system owners
• Phishing attacks: defending your organisation
• Multi-factor authentication for online services
• Introduction to identity and access management
• Password managers: how they help you secure passwords
• Biometric recognition and authentication systems

Related guidance:

• Using biometrics on mobile devices
• Choosing and using mobile device management within your organisation
• Zero Touch Enrolment
• Adopting a bring your own device (BYOD) approach
• Network architectures for enabling remote access to enterprise applications
• Choosing devices
• Logging and protective monitoring

Related blogs:

• Spray you, spray me: defending against password spraying attacks
• What does the NCSC think of password managers
• Your password policy may have reached its expiry date
• The problems with forcing regular password expiry
• Living with password re-use
• Passwords, passwords everywhere
• Are security questions leaving a gap in your security
• Security breaches as communication: what are your users telling you?